Skip to content

chore(teak): backport security patch#850

Merged
Kelketek merged 1 commit into
opencraft/teakfrom
agrendalath/bb-10988-security-patches-teak
Jul 9, 2026
Merged

chore(teak): backport security patch#850
Kelketek merged 1 commit into
opencraft/teakfrom
agrendalath/bb-10988-security-patches-teak

Conversation

@Agrendalath

Copy link
Copy Markdown
Member

This is a clean backport of #849 to Teak.

The previous vendored pdf.js was 1.0.907 (May 2013), four major versions
behind upstream and within the range covered by Mozilla's
GHSA-wgrm-67xf-hhpq (arbitrary JavaScript execution upon opening a
malicious PDF). 5.7.284 is well past the >= 4.2.67 fix line.

The replacement comes from Mozilla's prebuilt
`pdfjs-5.7.284-legacy-dist.zip` GitHub Release artifact rather than the
`pdfjs-dist` npm package because the npm package is library-only -- it
ships `pdf.mjs` plus a bare `PDFViewer` component class, but no
`viewer.html` / `viewer.mjs` / `viewer.css` / locale files. A full npm
integration would mean rewriting the viewer page against the bare
component, which is appropriate as a non-security follow-up but not as
the fix here.

The viewer page (`lms/templates/pdf_viewer.html`) is rewritten as a Mako
adaptation of upstream `web/viewer.html`. A `<base href>` makes the
viewer's relative asset URLs resolve against the vendored copy.

The analytics shim (`lms/static/js/pdf-analytics.js`) is rewritten in
vanilla JS against `PDFViewerApplication.eventBus`. Four analytics
events (`textbook.pdf.thumbnails.toggled`,
`textbook.pdf.thumbnail.navigated`, `textbook.pdf.outline.toggled`,
`textbook.pdf.page.scrolled`) no longer fire because the corresponding
UI elements were refactored away in pdf.js 4.x's Views Manager
redesign.

A new `scripts/refresh-pdfjs-vendor.sh` is the tool for future bumps:
update PDFJS_VERSION + PDFJS_LEGACY_ZIP_SHA256, re-run, commit.

Closes GHSA-mj74-gfq3-2v9f.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit 4d2e220)
@Agrendalath Agrendalath requested a review from Kelketek July 9, 2026 13:47
@Agrendalath Agrendalath self-assigned this Jul 9, 2026
@Kelketek

Kelketek commented Jul 9, 2026

Copy link
Copy Markdown
Member

Looks good, and the failing tests appear to be unrelated to the current PR, save for the one failing on a large diff, but I'm not worried about it. Merging and rolling it out.

@Kelketek Kelketek merged commit cd63453 into opencraft/teak Jul 9, 2026
43 of 47 checks passed
@Kelketek Kelketek deleted the agrendalath/bb-10988-security-patches-teak branch July 9, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants